https://github.com/hacksysteam/HackSysExtremeVulnerableDriver/tree/win10-klfh
These exploits were developed for the HEVD win10-klfh branch (not the master). In the branch, the pool buffer and object sizes are adjusted for kLFH, implemented in the recent Windows 10 versions.
Each exploit was tested on x64 Windows 10 version 1903 build 18362.30.
An exploit triggering a stack overflow bug in the function protected by Stack Guard.
The code was ported from the Kristal’s code utilizing an arbitrary read primitive to calculate the stack cookie, except the ROP chain. The initial ROP chain enabling a supervisor bit in PTE was detected by kCFG (KERNEL_SECURITY_CHECK_FAILURE), so I used another chain copying the shellcode to a buffer in kernel-space. I didn’t know kCFG still checks whether an address is in kernel-space or not even if VBS is not enabled.
Please note that the process sometimes terminates silently when handling the NtQuerySystemInformation call to obtain the kernel StackLimit value. Just try again if the call fails. And let me know if you know the reason :-)
An exploit triggering a use-after-free bug in the function.
After controlling the UAF object method address, a stack pivot is used to run the same ROP chain as the stack overflow GS case. An idea regarding the recovery from shellcode is based on the type confusion exploit write-up by Kristal.
The difficulty was how to debug the ROP chain and shellcode during the stack pivot. I always got the bug check IRQL_NOT_LESS_OR_EQUAL at nt!KiInterruptSubDispatchNoLockNoEtw+0x20 when I tried to break into and resume the execution. The execution with a fake kernel stack allocated in user-space is highly likely to be interrupted by another kernel thread then the bug check will be caused? So I had to reboot the system frequently.
Please note that this exploit code targets the win10-klfh branch of HEVD. It will not work on older OS versions.
TBD